-{ lib, pkgs, config, myconfig, ... }:
-{
- config = {
- networking.firewall.allowedTCPPorts = [ 22 ];
-
- services.openssh.extraConfig = ''
- AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
- AuthorizedKeysCommandUser nobody
- '';
-
- secrets.keys = [{
- dest = "ssh-ldap";
- user = "nobody";
- group = "nogroup";
- permissions = "0400";
- text = myconfig.env.sshd.ldap.password;
- }];
- system.activationScripts.sshd = {
- deps = [ "secrets" ];
- text = ''
- install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
- '';
- };
- # ssh is strict about parent directory having correct rights, don't
- # move it in the nix store.
- environment.etc."ssh/ldap_authorized_keys" = let
- ldap_authorized_keys =
- pkgs.mylibs.wrap {
- name = "ldap_authorized_keys";
- file = ./ldap_authorized_keys.sh;
- paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
- };
- in {
- enable = true;
- mode = "0755";
- user = "root";
- source = ldap_authorized_keys;
- };
- };
-}